Aug 31, 2010—California has been issuing RFID transponders for electronic toll collection since 1993, when the San Joaquin Hills and Foothill/Eastern Transportation Corridor Agencies (TCA), which manage Orange County's 67-mile public toll-road system, deployed the technology on the Foothills Toll Road. Currently, more than 2 million drivers across the state carry FasTrak transponders in their vehicles, in order to bypass long lines at tollbooths (the system deducts a toll from a user's account each time an RFID reader mounted at a toll booth reads the tag of that person's car). And the San Joaquin Hills and Foothill/Eastern agencies are just two of many transportation organizations that use the tags for electronic toll collection. No current California laws govern how such agencies are to handle the personally identifiable data linked to each FasTrak account, but the state's legislature recently passed a bill, known as SB 1268, that sets down minimal requirements to ensure that a driver's private data is protected.

California's governor, Arnold Schwarzenegger, now has until Sept. 30 to sign the bill into law. While his office spokespeople say the governor has yet to take a position regarding the bill, he did approve a previous bill related to RFID technology, SB 31, in 2008, making it illegal to surreptitiously read (or "skim") RFID tags embedded in identity documents, while vetoing another measure, SB 29, that would have required schools to acquire parental consent before issuing RFID-enabled identity cards to students (see Schwarzenegger Signs Anti-Skimming RFID Measure But Vetoes Bill on School IDs).

SB 1268 would prohibit transit agencies from selling or providing personally identifiable information linked to a FasTrak account to a third party. The bill would also require that all transit agencies that read FasTrak tags establish a privacy policy regarding personally identifiable information linked to such accounts, and to provide the policy to subscribers and also post it on their Web sites. What's more, it would set a four-and-a-half year limit on the length of time that agencies could store account data after an account has been closed and all toll violations have been paid.

"Stripped down to its bare essence, this bill says, 'Let's not sell or share travel info. Let's respect drivers' locational privacy, and let's not keep [their] data into perpetuity,'" says California Senator Joe Simitian, who authored SB 1268, as well as the SB 29 and SB 31 bills introduced in 2008. If Governor Schwarzenegger signs SB 1268, Simitian believes the state will be the first in the United States to adopt such legislation.

To date, Simitian says, no privacy infringements linked to transit agencies reading FasTrak tags—which transmit a unique ID number linked to the account holder's name, contact information and debit account—have occurred. However, he notes, without legal guidelines, the potential for such violations exists. "One scenario," he says, "would be that a transit agency sells some information to Bob's Bar and Grill, and then you start getting advertisements for specials at the restaurant," because FasTrak could show that you drive by that establishment daily.

Simitian says he penned the bill so that the agencies that collect FasTrak data—which include the California Department of Transportation, the Bay Area Toll Authority (BATA), the TCA and any other entity operating a toll bridge, toll lane or toll highway within the state, or any entity under contract with any of the above entities—would be required to follow consistent rules that lay out a minimum requirement for how long FasTrak transaction data can be stored on the various agencies' computer systems.